Shields Up: Time to Double-Check Security Practices
May 17, 2022 •Sushma Annareddy
In a digital world, there are thousands of ways to connect utility companies with their customers. But how do we make this transformation while doing it safely and securely? How can utilities and their customers be assured their digital data is being properly protected? One of the cornerstones of building trust is the priority placed on digital safety and data security by utilities. Specifically, the current circumstance in Ukraine has increased the visibility of the need for utilities to stay cyber-resilient and maintain that client trust.
Since its inception almost 30 years ago, Franklin Energy has invested in innovative technologies to improve customer service, outreach, and engagement while creating a positive experience. This includes online application processing, ordering an energy-efficient product, scheduling an onsite service appointment, or engaging in a conversation with a contact center representative. While these ongoing improvements have made life easier in many aspects, it is paramount to keep a constant eye on security measures.
Our safety and security are handled behind the scenes at every step as data is collected, transmitted, and stored. Over the years, we’ve learned lessons from the missteps of utilities, vendors, and our own team and security events, all of which have enabled us to build a playbook of best practices. Likewise, the past few years of escalating ransomware demands, numerous disclosures of severe vulnerabilities, and supply-chain incidents have created an environment requiring all organizations—not just utilities and those who serve them—to boost their cyber security and cyber resilience strategies. Now is a good time to evaluate your organization’s security posture and double-check your practices against those we have learned over time and outlined below.
First, it is important to understand that information security is a journey, not a destination. Within this journey, there are several key components: a design (the architecture), a plan (the roadmap), and the willingness to get the job done over the long haul (the journey itself). Just because a specific measure worked yesterday does not mean it will work today. In the rapidly evolving world of cybersecurity, we can never stand still.
Second, it is vital to secure executive leadership sponsorship as part of this journey. Benefits include allocation of financial and personnel resources, an engaged leader (or multiple) in championing the implementation of the necessary processes, and an attitude of encouragement for adoption within the organization.
Lastly, revisiting and re-visioning the plan from time to time is a great practice. As I mentioned earlier, this is an ongoing process that requires occasional updates and new approaches. Taking the time to look back and see how far your company has come while charting an adjustment is an extremely valuable part of the process.
Before reviewing some security best practices we’ve learned at Franklin Energy, it is beneficial to start by establishing the difference between cybersecurity and cyber resilience. Cybersecurity includes the technologies and measures utilized to thwart cyber threats. Cyber resilience is the ability to maintain business operations despite a cyber-attack or breach. No cybersecurity solution is infallible. So, both cyber security and cyber resilience are essential to protecting an organization’s bottom line, productivity, and brand reputation of a business.
At Franklin Energy, our mobile- and cloud-first philosophy translate into a highly complex, multi-cloud ecosystem with many interoperable systems and integration dependencies; this approach is not unique in today’s digital landscape. Using the right combination of people, processes, and technology provide the necessary security layers for secure processing and storage of data.
Defense-in-Depth Approach. In a defense-in-depth arrangement, controls are layered, so if an attacker breaches one control, controls at the next layer continue to provide protection. To provide a holistic approach to information security and set expectations across the organization, leverage a Written Information Security Policy (WISP) which utilizes various layers of policies, procedures, processes, standards, and work instructions. For example, our defense-in-depth system at Franklin Energy includes over 125 security controls and our WISP spans five layers of processes, instructions, and more. Any violation of these policies or procedures should be considered a serious offense which can result in employee disciplinary actions, including termination. Utilizing a third party may be helpful to gain an outsider’s perspective; Franklin Energy has worked with the security team of a trusted advisor to successfully complete the security review process and vet our security and privacy program.
Defensive Barriers Through Tools and Automation. Security controls and procedures specific to identity/access/role management, data encryption, multi-factor authentication, patching, and device encryption/lock screens are vital. Timely updates and upgrades for all systems should be mandated within a policy that provides guidelines for priority and timeliness. Patching can be deployed via central management tools, and automation should be leveraged whenever possible to allow for efficient management. Automation allows IT teams to optimize resources while reducing human error in security responses. Stateful firewalls, IDS/IPS, SIEM tool, user behavior analytics, review of logs, anti-virus, malware, and content monitoring/filtering on all endpoints and network gateways should be part of your cybersecurity tool kit. We have found that using integrated suite of tools from a single vendor has proven to be economical in meeting multiple control objectives.
AppSec in the SDLC. When developing software, security should be integrated into the software development lifecycle as part of the system design and via static and dynamic code prior to release. Secure coding training for all software developers is an excellent way to keep an entire team—or multiple teams—operating at the highest possible standard. Additionally, continuous monitoring ensures no new application vulnerabilities.
Penetration and Vulnerability Assessments. Utilizing automated tools and techniques, including infrastructure for penetration testing, to scan for vulnerabilities is a must. We recommend undergoing internal and third-party testing of applications and infrastructure at various frequencies of daily, weekly, monthly, and yearly. The findings and their necessary mitigations guide can guide an organization’s security and resiliency journey.
Security Education and Awareness. At Franklin Energy, all employees and contractors are subject to background checks and ongoing information security training. Ensuring all levels of an organization are familiar with acceptable data use, data handling, phishing risks, confidentiality expectations, and privacy standards is important, as is sending out intermittent reminders of these topics. Each user should be their own “human firewall,” trained to identify and report suspicious activity. Regularly running phishing simulations are a great way to make everyone in the organization feel more confident as well as increase cyber resiliency.
At Franklin Energy, our commitment to information and cybersecurity is best exemplified by our attainment of SOC 1 and SOC 2 Type II certifications that are cross-walked to the NIST Cybersecurity and CIS CSC-20 Frameworks.
Shifting from Cybersecurity to Cyber Resilience
It’s not a matter of if, but when—having the ability to handle a variety of cyber risks and being prepared to quickly recover from cyber events is a continuous process of monitoring and remediating threats and attacks that could compromise business operations. Establishing the foundation of a solid security program, incident response plan, risk management, business continuity, and disaster recovery practices provides the groundwork for becoming more cyber resilient.
Incident Management and Response Process. To be prepared for any incident they may face, an organization should build an incident management and response process that provides for communication protocols related to system security monitoring, logging, breaches, etc. Response time should be quick—at Franklin Energy, our response time is within 24 hours. Additionally, if any application vulnerabilities are discovered, they should be reported to clients or any affected parties upon completion of a root cause analysis. Afterward, remediation should be completed and communicated as well. Deploying an incident response (IR) team is one of the most effective ways to manage incident response capability, alongside following an established response plan that covers all phases of IR from monitoring to detection, analysis, containment, eradication, and recovery.
Risk Assessment Process. An organization’s risk management framework provides a guideline for an enterprise-wide risk management program, including mission, strategic objectives, corporate governance structure, and key program components and initiatives. Policies and principles should be in place for identifying, assessing, monitoring, and controlling risk at all levels of the company. Risk management efforts include provisions over compliance, operations, data, and reputation risk. Risk escalation and assessment procedures should be structured to provide the necessary tools for mitigating risk and identifying process improvement opportunities.
Vendor and Third-Party Risk Management. Building an extensive vendor management program ensures continuity for security controls across companies and systems when working with partners, subcontractors, and vendors. Using flow-down contracts and security and risk assessments, it is important to actively monitor this portfolio of vendors, subcontractors and partners for security compliance to improve their security postures. A real-world example of this principle is our use of a third-party merchant services partner that we use to process secure and PCI compliant credit card payments. Our security team and management also monitor third-party service partners, requests, and reviews information from these service providers.
Disaster Recovery / Business Continuity. A business’ systems should be designed not only for performance and scalability, but with high availability, redundancy, and recovery in the event of an outage or failure. Recovery and continuity plans should be tested annually, at a minimum.
At Franklin Energy, our cyber resiliency efforts have been focused in a few key areas:
Assess internal threats from people within our organization and external risks such as data breaches and ransomware attacks
Help employees secure home networks
Maintain a feedback loop to analyze intelligence gained during security events to adapt our capabilities
Use of playbooks for a broad range of attacks, simulations, and threat hunting activities are helpful as a company scales to meet the ever-growing threat landscape. Coupled with ongoing assessment of strengths and limitations, an organization is well-positioned to provide perspective on our performance and effectiveness.
Because cyber threats are constantly evolving, committing to both cybersecurity and cyber resilience strategies is a vital, ongoing mission that is necessary to protect digital assets, maintain digital trust, and bounce back as quickly as possible in the event of an incident.